Infosec: PCI Compliant Companies See Fewer Breaches

Most businesses fail to see how PCI-DSS compliance brings overall data security to their organisation

A report shows that while the majority of companies that comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) suffer fewer or no breaches, most security practitioners still do not perceive PCI as having a positive impact.

According to the study, 64 percent of PCI-DSS compliant organisations reported suffering no data breaches involving payment card data over the past two years, while only 38 percent of non-compliant companies reported suffering no card-related incidents over the same period.

When it came to overall data breaches (general incident or those involving credit card data), 63 percent of compliant organisations suffered no more than a single data breach, compared to 22 percent of non-compliant companies. Notably, 26 percent of non-compliant businesses suffered more than five breaches over the same time period.

“At the end of the day, we believe that PCI-DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture,” said Amichai Shulman, co-founder and CTO of Imperva. “Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don’t – period.”

Despite evidence to the contrary, the study also found that 88 percent of respondents did not support the claim that PCI-DSS compliance has a positive effect on the number of breaches experienced, and only 39 percent mentioned data security improvement as one of the regulation’s value propositions for business. In fact, only 33 percent believe that PCI-DSS compliance expenditure is covered by the value it brings to organisation.

“Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.

This year’s report also found that two-thirds of respondents have achieved substantial compliance with PCI-DSS. In the 2009 PCI DSS Compliance Trends Study, the number of respondents who had achieved similar levels of compliance was only half and roughly 25 percent had not achieved any level of compliance. Only 16 percent of organisations surveyed in 2011 have not achieved any level of PCI-DSS by comparison.

“Over the past few years, most companies have matured in their understanding of the PCI mandate and have worked to meet strict compliance deadlines,” said Shulman. “We believe this is one of the primary reasons we’ve seen an overall increase in compliance and also, we believe, a decline in the number of credit card-related data breaches.”

“In an era where governments are struggling with the creation of vague yet complex data protection acts, the credit card industry took a bold step towards regulating itself, using plain language, clear goals and a pragmatic focus,” said University of Connecticut School of Business professor Robert Bird. “PCI isn’t perfect – but it succeeded by imposing security mandates and forcing attention on data security – all without government regulation.”

Controlling spiraling IT infrastructure cost and complexity is what drives interest in cloud automation. But what exactly is the return on investment on cloud automation technology? Based on a wide range of customer case studies, automating private cloud infrastructure management can improve the eciency of cloud operations, resource management, accelerated virtualization and deliver enormous CapEx […]

Cloud platforms are increasingly a viable option for a growing set of enterprise workloads. Business-aligned developers are aggressively leveraging public cloud platforms to build and deploy new elastic applications and to extend legacy capabilities. They have come to expect speed, choice, and cost transparency. Meanwhile, nearly half of enterprise IT shops claim to be building […]

Enterprise IT infrastructures are being transformed into dynamic, virtual infrastructures to enable increased agility, lower costs, and higher service levels. However, while these new shared infrastructures combine virtualization, resource aggregation, logical allocation, dynamic workload relocation, and settings reconfiguration, they also introduce significant complexities to resource management and capacity planning.

Akamai’s globally-distributed Intelligent Platform allows us to gather massive amounts of data on many metrics, including connection speeds, attack traffic, network connectivity/ availability issues, and IPv6 adoption progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report.